Concerns regarding T3065 dirmngr: proxy issues with dnslookup causing failure

Sat Sep 28 20:48:45 CEST 2024

Hello list,

I want to express my concerns over the following closed ticket:

⚓ T3065 dirmngr: proxy issues with dnslookup causing failure
https://dev.gnupg.org/T3065

I can reproduce the same issue: dirmngr is unable to function properly
if the DNS resolution is not working on the host system but has an
otherwise functioning HTTP proxy configuration.  The Internet access
worked for most of the applications on the system(as they delegate the
task of DNS resolution to the proxy service) except for GnuPG and a
very few others.

Here are the dirmngr log entries that were generated when I ran the
following command in a terminal:

```
gpg2 --keyserver hkps://keyserver.ubuntu.com --keyserver-options
"timeout=40 http-proxy=$http_proxy" --recv-keys
409B6B1796C275462A1703113804BB82D39DC0E3
```

```
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: resolve_dns_addr for
'keyserver.ubuntu.com': '[2620:2d:4000:1007::d43]'
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: resolve_dns_addr for
'keyserver.ubuntu.com': '[2620:2d:4000:1007::70c]'
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: resolve_dns_addr for
'keyserver.ubuntu.com': '185.125.188.27'
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: resolve_dns_addr for
'keyserver.ubuntu.com': '185.125.188.26'
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: number of system provided CAs: 146
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: can't connect to
'192.168.49.1': no IP address for host
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: error connecting to
'https://[2620:2d:4000:1007::d43]:443': Unknown host
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: marking host
'[2620:2d:4000:1007::d43]' as dead
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: can't connect to
'192.168.49.1': no IP address for host
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: error connecting to
'https://[2620:2d:4000:1007::70c]:443': Unknown host
Sep 29 02:41:15 brlin-fw13 dirmngr[182307]: marking host
'[2620:2d:4000:1007::70c]' as dead
Sep 29 02:41:16 brlin-fw13 dirmngr[182307]: TLS handshake failed: The
TLS connection was non-properly terminated.
Sep 29 02:41:16 brlin-fw13 dirmngr[182307]: error connecting to
'https://185.125.188.27:443': Network error
Sep 29 02:41:16 brlin-fw13 dirmngr[182307]: marking host
'185.125.188.27' as dead
Sep 29 02:41:16 brlin-fw13 dirmngr[182307]: TLS handshake failed: The
TLS connection was non-properly terminated.
Sep 29 02:41:16 brlin-fw13 dirmngr[182307]: error connecting to
'https://185.125.188.26:443': Network error
Sep 29 02:41:16 brlin-fw13 dirmngr[182307]: marking host
'185.125.188.26' as dead
Sep 29 02:41:16 brlin-fw13 dirmngr[182307]: command 'KS_GET' failed:
Network error <Unspecified source>
```

According to werner's comment in the thread:

> If you specify a pool of keyservers dirmngr selects a keyserver on its own from the pool. This is so that it can use its own heuristics to detect whether a keyserver is dead and then retry another one. Now the default is a pool and your specified keyserver.ubuntu.com is also a pool (of two servers). So if your DNS resolver does not tell us the IP addresses, we can't do anything about it.

IMHO as the actual DNS resolution may not be available in a networking
environment that provides internet access over an HTTP proxy service,
dirmngr should:

* Treat the requested keyserver as the single server in the pool and
avoid checking the availability.
* Access the keyserver by name instead of IP address, and delegate the
name resolution task to the configured proxy service.
* Avoid resolving the host address of the proxy service itself if the
supplied proxy address is an IP address.

Thanks for your time and attention,
林博仁(Buo-ren Lin)
buo.ren.lin at gmail.com

Note: Please CC me when replying as I only subscribed the list in
digest mode, thank you.